~ubuntu-branches/ubuntu/quantal/lxc/quantal-201205292108 : contents of templates/lxc-ubuntu.in at revision 1.1.11

~ubuntu-branches/ubuntu/quantal/lxc/quantal-201205292108 : (revision 1.1.11)
#!/bin/bash

#
# template script for generating ubuntu container for LXC
#
# This script consolidates and extends the existing lxc ubuntu scripts
#

# Copyright © 2011 Serge Hallyn <serge.hallyn@canonical.com>
# Copyright © 2010 Wilhelm Meier
# Author: Wilhelm Meier <wilhelm.meier@fh-kl.de>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2, as
# published by the Free Software Foundation.

# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.

# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#

if [ -r /etc/default/lxc ]; then
    . /etc/default/lxc
fi

configure_ubuntu()
{
    rootfs=$1
    hostname=$2
    release=$3

   # configure the network using the dhcp
    cat <<EOF > $rootfs/etc/network/interfaces
auto lo
iface lo inet loopback

auto eth0
iface eth0 inet dhcp
EOF

    # set the hostname
    cat <<EOF > $rootfs/etc/hostname
$hostname
EOF
    # set minimal hosts
    cat <<EOF > $rootfs/etc/hosts
127.0.0.1 localhost $hostname
EOF

    if [ "$release" = "precise" ]; then
        group="sudo"
    else
        group="admin"

        # suppress log level output for udev
        sed -i "s/=\"err\"/=0/" $rootfs/etc/udev/udev.conf

        # remove jobs for consoles 5 and 6 since we only create 4 consoles in
        # this template
        rm -f $rootfs/etc/init/tty{5,6}.conf
    fi

    chroot $rootfs groupadd --system $group >/dev/null 2>&1 || true
    chroot $rootfs useradd --create-home -s /bin/bash -G $group ubuntu
    echo "ubuntu:ubuntu" | chroot $rootfs chpasswd
    if [ -n "$auth_key" -a -f "$auth_key" ]; then
	u_path="/home/ubuntu/.ssh"
	root_u_path="$rootfs/$u_path"
	mkdir -p $root_u_path
	cp $auth_key "$root_u_path/authorized_keys"
	chroot $rootfs chown -R ubuntu: "$u_path"

	echo "Inserted SSH public key from $auth_key into /home/ubuntu/.ssh/authorized_keys"
    fi
    return 0
}

write_sourceslist()
{
    # $1 => path to the rootfs
    # $2 => architecture we want to add
    # $3 => whether to use the multi-arch syntax or not

    case $2 in
      amd64|i386)
            MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu}
            SECURITY_MIRROR=${SECURITY_MIRROR:-http://security.ubuntu.com/ubuntu}
            ;;
      sparc)
            case $SUITE in
              gutsy)
            MIRROR=${MIRROR:-http://archive.ubuntu.com/ubuntu}
            SECURITY_MIRROR=${SECURITY_MIRRORMIRROR:-http://security.ubuntu.com/ubuntu}
            ;;
              *)
            MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
            SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
            ;;
            esac
            ;;
      *)
            MIRROR=${MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
            SECURITY_MIRROR=${SECURITY_MIRROR:-http://ports.ubuntu.com/ubuntu-ports}
            ;;
    esac
    if [ -n "$3" ]; then
        cat >> "$1/etc/apt/sources.list" << EOF
deb [arch=$2] $MIRROR ${release} main restricted universe multiverse
deb [arch=$2] $MIRROR ${release}-updates main restricted universe multiverse
deb [arch=$2] $SECURITY_MIRROR ${release}-security main restricted universe multiverse
EOF
    else
        cat >> "$1/etc/apt/sources.list" << EOF
deb $MIRROR ${release} main restricted universe multiverse
deb $MIRROR ${release}-updates main restricted universe multiverse
deb $SECURITY_MIRROR ${release}-security main restricted universe multiverse
EOF
    fi
}

download_ubuntu()
{
    cache=$1
    arch=$2
    release=$3

    if [ $release = "lucid" ]; then
        packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg
    elif [ $release = "maverick" ]; then
        packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,dhcp3-client,ssh,lsb-release,gnupg,netbase
    elif [ $release = "natty" ]; then
        packages=dialog,apt,apt-utils,resolvconf,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase
    else
        packages=dialog,apt,apt-utils,iproute,inetutils-ping,vim,isc-dhcp-client,isc-dhcp-common,ssh,lsb-release,gnupg,netbase,ubuntu-keyring
    fi
    echo "installing packages: $packages"

    # check the mini ubuntu was not already downloaded
    mkdir -p "$cache/partial-$arch"
    if [ $? -ne 0 ]; then
        echo "Failed to create '$cache/partial-$arch' directory"
        return 1
    fi

    # download a mini ubuntu into a cache
    echo "Downloading ubuntu $release minimal ..."
    if [ -n "$(which qemu-debootstrap)" ]; then
        qemu-debootstrap --verbose --components=main,universe --arch=$arch --include=$packages $release $cache/partial-$arch $MIRROR
    else
        debootstrap --verbose --components=main,universe --arch=$arch --include=$packages $release $cache/partial-$arch $MIRROR
    fi

    if [ $? -ne 0 ]; then
        echo "Failed to download the rootfs, aborting."
            return 1
    fi

    echo "Installing updates"
    if [ -z "$MIRROR" ]; then
        MIRROR="http://archive.ubuntu.com/ubuntu"
    fi
    cat >> "$1/partial-${arch}/etc/apt/sources.list" << EOF
deb $MIRROR ${release}-updates main universe
deb http://security.ubuntu.com/ubuntu ${release}-security main universe
EOF
    chroot "$1/partial-${arch}" apt-get update
    if [ $? -ne 0 ]; then
        echo "Failed to update the apt cache"
        return 1
    fi
    cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
#!/bin/sh
exit 101
EOF
    chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d

    chroot "$1/partial-${arch}" apt-get dist-upgrade -y
    ret=$?

    rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d
    if [ $ret -ne 0 ]; then
        echo "Failed to upgrade the cache"
        return 1
    fi

    # Serge isn't sure whether we should avoid doing this when
    # $release == `distro-info -d`
    echo "Installing updates"
    > $cache/partial-$arch/etc/apt/sources.list
    write_sourceslist $cache/partial-$arch/ $arch

    chroot "$1/partial-${arch}" apt-get update
    if [ $? -ne 0 ]; then
        echo "Failed to update the apt cache"
        return 1
    fi
    cat > "$1/partial-${arch}"/usr/sbin/policy-rc.d << EOF
#!/bin/sh
exit 101
EOF
    chmod +x "$1/partial-${arch}"/usr/sbin/policy-rc.d

    lxc-unshare -s MOUNT -- chroot "$1/partial-${arch}" apt-get dist-upgrade -y
    ret=$?
    rm -f "$1/partial-${arch}"/usr/sbin/policy-rc.d

    if [ $ret -ne 0 ]; then
        echo "Failed to upgrade the cache"
        return 1
    fi

    mv "$1/partial-$arch" "$1/rootfs-$arch"
    echo "Download complete"
    return 0
}

copy_ubuntu()
{
    cache=$1
    arch=$2
    rootfs=$3

    # make a local copy of the miniubuntu
    echo "Copying rootfs to $rootfs ..."
    mkdir -p $rootfs
    rsync -a $cache/rootfs-$arch/ $rootfs/ || return 1
    return 0
}

install_ubuntu()
{
    rootfs=$1
    release=$2
    flushcache=$3
    cache="/var/cache/lxc/$release"
    mkdir -p /var/lock/subsys/
    (
	flock -n -x 200
	if [ $? -ne 0 ]; then
	    echo "Cache repository is busy."
	    return 1
	fi


    if [ $flushcache -eq 1 ]; then
        echo "Flushing cache..."
        rm -rf "$cache/partial-$arch"
        rm -rf "$cache/rootfs-$arch"
    fi

	echo "Checking cache download in $cache/rootfs-$arch ... "
	if [ ! -e "$cache/rootfs-$arch" ]; then
	    download_ubuntu $cache $arch $release
	    if [ $? -ne 0 ]; then
		echo "Failed to download 'ubuntu $release base'"
		return 1
	    fi
	fi

	echo "Copy $cache/rootfs-$arch to $rootfs ... "
	copy_ubuntu $cache $arch $rootfs
	if [ $? -ne 0 ]; then
	    echo "Failed to copy rootfs"
	    return 1
	fi

	return 0

	) 200>/var/lock/subsys/lxc

    return $?
}

copy_configuration()
{
    path=$1
    rootfs=$2
    name=$3
    arch=$4
    release=$5

    if [ $arch = "i386" ]; then
        arch="i686"
    fi

    ttydir=""
    if [ $release = "precise" ]; then
        ttydir=" lxc"
    fi

    # if there is exactly one veth network entry, make sure it has an
    # associated hwaddr.
    nics=`grep -e '^lxc\.network\.type[ \t]*=[ \t]*veth' $path/config | wc -l`
    if [ $nics -eq 1 ]; then
        grep -q "^lxc.network.hwaddr" $path/config || cat <<EOF >> $path/config
lxc.network.hwaddr= 00:16:3e:$(openssl rand -hex 3| sed 's/\(..\)/\1:/g; s/.$//')
EOF
    fi

    cat <<EOF >> $path/config
lxc.utsname = $name

lxc.devttydir = $ttydir
lxc.tty = 4
lxc.pts = 1024
lxc.rootfs = $rootfs
lxc.mount  = $path/fstab
lxc.arch = $arch
lxc.cap.drop = sys_module mac_admin mac_override

lxc.cgroup.devices.deny = a
# Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
# consoles
lxc.cgroup.devices.allow = c 5:1 rwm
lxc.cgroup.devices.allow = c 5:0 rwm
#lxc.cgroup.devices.allow = c 4:0 rwm
#lxc.cgroup.devices.allow = c 4:1 rwm
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rwm
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 136:* rwm
lxc.cgroup.devices.allow = c 5:2 rwm
# rtc
lxc.cgroup.devices.allow = c 254:0 rwm
#fuse
lxc.cgroup.devices.allow = c 10:229 rwm
#tun
lxc.cgroup.devices.allow = c 10:200 rwm
#full
lxc.cgroup.devices.allow = c 1:7 rwm
#hpet
lxc.cgroup.devices.allow = c 10:228 rwm
#kvm
lxc.cgroup.devices.allow = c 10:232 rwm
EOF

    cat <<EOF > $path/fstab
proc            $rootfs/proc         proc    nodev,noexec,nosuid 0 0
sysfs           $rootfs/sys          sysfs defaults  0 0
EOF

    if [ $? -ne 0 ]; then
	echo "Failed to add configuration"
	return 1
    fi

    return 0
}

trim()
{
    rootfs=$1
    release=$2

    # provide the lxc service
    cat <<EOF > $rootfs/etc/init/lxc.conf
# fake some events needed for correct startup other services

description     "Container Upstart"

start on startup

script
        rm -rf /var/run/*.pid
        rm -rf /var/run/network/*
        /sbin/initctl emit stopped JOB=udevtrigger --no-wait
        /sbin/initctl emit started JOB=udev --no-wait
end script
EOF

    # fix buggus runlevel with sshd
    cat <<EOF > $rootfs/etc/init/ssh.conf
# ssh - OpenBSD Secure Shell server
#
# The OpenSSH server provides secure shell access to the system.

description	"OpenSSH server"

start on filesystem
stop on runlevel [!2345]

expect fork
respawn
respawn limit 10 5
umask 022
# replaces SSHD_OOM_ADJUST in /etc/default/ssh
oom never

pre-start script
    test -x /usr/sbin/sshd || { stop; exit 0; }
    test -e /etc/ssh/sshd_not_to_be_run && { stop; exit 0; }
    test -c /dev/null || { stop; exit 0; }

    mkdir -p -m0755 /var/run/sshd
end script

# if you used to set SSHD_OPTS in /etc/default/ssh, you can change the
# 'exec' line here instead
exec /usr/sbin/sshd
EOF

    cat <<EOF > $rootfs/etc/init/console.conf
# console - getty
#
# This service maintains a console on tty1 from the point the system is
# started until it is shut down again.

start on stopped rc RUNLEVEL=[2345]
stop on runlevel [!2345]

respawn
exec /sbin/getty -8 38400 /dev/console
EOF

    cat <<EOF > $rootfs/lib/init/fstab
# /lib/init/fstab: cleared out for bare-bones lxc
EOF

    # reconfigure some services
    if [ -z "$LANG" ]; then
	chroot $rootfs locale-gen en_US.UTF-8
	chroot $rootfs update-locale LANG=en_US.UTF-8
    else
	chroot $rootfs locale-gen $LANG
	chroot $rootfs update-locale LANG=$LANG
    fi

    # remove pointless services in a container
    chroot $rootfs /usr/sbin/update-rc.d -f ondemand remove

    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls u*.conf); do mv $f $f.orig; done'
    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls tty[2-9].conf); do mv $f $f.orig; done'
    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls plymouth*.conf); do mv $f $f.orig; done'
    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls hwclock*.conf); do mv $f $f.orig; done'
    chroot $rootfs /bin/bash -c 'cd /etc/init; for f in $(ls module*.conf); do mv $f $f.orig; done'

    # if this isn't lucid, then we need to twiddle the network upstart bits :(
    if [ $release != "lucid" ]; then
        sed -i 's/^.*emission handled.*$/echo Emitting lo/' $rootfs/etc/network/if-up.d/upstart
    fi
}

post_process()
{
    rootfs=$1
    release=$2
    trim_container=$3

    if [ $trim_container -eq 1 ]; then
        trim $rootfs $release
    elif [ $release = "lucid" -o $release = "maverick" -o $release = "natty" \
               -o $release = "oneiric" ]; then
        # for lucid and maverick, if not trimming, then add the ubuntu-virt
        # ppa and install lxcguest
        if [ $release = "lucid" -o $release = "maverick" ]; then
            chroot $rootfs apt-get install --force-yes -y python-software-properties
            chroot $rootfs add-apt-repository ppa:ubuntu-virt/ppa
        fi
        cp /etc/resolv.conf "${rootfs}/etc"
        chroot $rootfs apt-get update
        chroot $rootfs apt-get install --force-yes -y lxcguest
    fi

    # If the container isn't running a native architecture, setup multiarch
    if [ -x "$(ls -1 ${rootfs}/usr/bin/qemu-*-static 2>/dev/null)" ]; then
        mkdir -p ${rootfs}/etc/dpkg/dpkg.cfg.d
        echo "foreign-architecture ${hostarch}" > ${rootfs}/etc/dpkg/dpkg.cfg.d/lxc-multiarch

        # Save existing value of MIRROR and SECURITY_MIRROR
        DEFAULT_MIRROR=$MIRROR
        DEFAULT_SECURITY_MIRROR=$SECURITY_MIRROR

        # Write a new sources.list containing both native and multiarch entries
        > ${rootfs}/etc/apt/sources.list
        write_sourceslist $rootfs $arch "native"

        MIRROR=$DEFAULT_MIRROR
        SECURITY_MIRROR=$DEFAULT_SECURITY_MIRROR
        write_sourceslist $rootfs $hostarch "multiarch"

        # Finally update the lists and install upstart using the host architecture
        chroot $rootfs apt-get update
        chroot $rootfs apt-get install --force-yes -y --no-install-recommends upstart:${hostarch} mountall:amd64 iproute:amd64 isc-dhcp-client:amd64
    fi
}

do_bindhome()
{
    rootfs=$1
    user=$2

    # copy /etc/passwd, /etc/shadow, and /etc/group entries into container
    pwd=`getent passwd $user`
    if [ $? -ne 0 ]; then
        echo 'Warning: failed to copy password entry for $user'
	return
    else
        echo $pwd >> $rootfs/etc/passwd
    fi
    shad=`getent shadow $user`
    echo $shad >> $rootfs/etc/shadow

    # bind-mount the user's path into the container's /home
    h=`getent passwd $user | cut -d: -f 6`
    mkdir -p $rootfs/$h
    echo "$h $rootfs/$h none bind 0 0" >> $path/fstab
}

usage()
{
    cat <<EOF
$1 -h|--help [-a|--arch] [-b|--bindhome <user>] [--trim]
   [-F | --flush-cache] [-r|--release <release>] [ -S | --auth_key <keyfile>]
release: lucid | maverick | natty | oneiric | precise
trim: make a minimal (faster, but not upgrade-safe) container
bindhome: bind <user>'s home into the container
arch: amd64 or i386: defaults to host arch
auth_key: SSH Public key file to inject into container
EOF
    return 0
}

options=$(getopt -o a:b:hp:r:xn:FS: -l arch:,bindhome:,help,path:,release:,trim,name:,flush-cache,auth-key: -- "$@")
if [ $? -ne 0 ]; then
    usage $(basename $0)
    exit 1
fi
eval set -- "$options"

release=lucid
if [ -f /etc/lsb-release ]; then
    . /etc/lsb-release
    case "$DISTRIB_CODENAME" in
        lucid|maverick|natty|oneiric|precise)
            release=$DISTRIB_CODENAME
        ;;
    esac
fi

bindhome=
arch=$(arch)

# Code taken from debootstrap
if [ -x /usr/bin/dpkg ] && /usr/bin/dpkg --print-architecture >/dev/null 2>&1; then
    arch=`/usr/bin/dpkg --print-architecture`
elif type udpkg >/dev/null 2>&1 && udpkg --print-architecture >/dev/null 2>&1; then
    arch=`/usr/bin/udpkg --print-architecture`
else
    arch=$(arch)
    if [ "$arch" = "i686" ]; then
        arch="i386"
    elif [ "$arch" = "x86_64" ]; then
        arch="amd64"
    elif [ "$arch" = "armv7l" ]; then
        arch="armel"
    fi
fi

trim_container=0
hostarch=$arch
flushcache=0
while true
do
    case "$1" in
    -h|--help)      usage $0 && exit 0;;
    -p|--path)      path=$2; shift 2;;
    -n|--name)      name=$2; shift 2;;
    -F|--flush-cache) flushcache=1; shift 1;;
    -r|--release)   release=$2; shift 2;;
    -b|--bindhome)  bindhome=$2; shift 2;;
    -a|--arch)      arch=$2; shift 2;;
    -x|--trim)      trim_container=1; shift 1;;
    -S|--auth_key)  auth_key=$2; shift 2;;
    --)             shift 1; break ;;
        *)              break ;;
    esac
done

pwd=`getent passwd $bindhome`
if [ $? -ne 0 ]; then
    echo "Error: no password entry found for $bindhome"
    exit 1
fi


if [ "$arch" == "i686" ]; then
    arch=i386
fi

if [ $hostarch = "i386" -a $arch = "amd64" ]; then
    echo "can't create amd64 container on i386"
    exit 1
fi

type debootstrap
if [ $? -ne 0 ]; then
    echo "'debootstrap' command is missing"
    exit 1
fi

if [ -z "$path" ]; then
    echo "'path' parameter is required"
    exit 1
fi

if [ "$(id -u)" != "0" ]; then
    echo "This script should be run as 'root'"
    exit 1
fi

rootfs=$path/rootfs

install_ubuntu $rootfs $release $flushcache
if [ $? -ne 0 ]; then
    echo "failed to install ubuntu $release"
    exit 1
fi

configure_ubuntu $rootfs $name $release
if [ $? -ne 0 ]; then
    echo "failed to configure ubuntu $release for a container"
    exit 1
fi

copy_configuration $path $rootfs $name $arch $release
if [ $? -ne 0 ]; then
    echo "failed write configuration file"
    exit 1
fi

post_process $rootfs $release $trim_container
if [ ! -z $bindhome ]; then
	do_bindhome $rootfs $bindhome
fi

echo ""
echo "##"
echo "# The default user is 'ubuntu' with password 'ubuntu'!"
echo "# Use the 'sudo' command to run tasks as root in the container."
echo "##"
echo ""